The Board and Cybersecurity
New security policies for the board
Everyone knows about the importance of having the board engaged with cybersecurity if you’re going to successfully implement anything security related. The latest proposal by SEC (US Securities and Exchange Commission) requires publicly traded companies to disclose some of the details regarding cyber incidents, a company’s cybersecurity capabilities, boards’ cybersecurity expertise and details on how cybersecurity is overseen by the board.
With this potential proposal at hand, we may see the board being completely forced to participate in everything cybersecurity related, no more excuses. Furthermore, due to cyber risks always posing a threat to data and a brand’s reputation, we will find that many private companies and nonprofits are going to raise the board-level oversight of cybersecurity.
SEC’s requirements create awareness of board-level oversight of cybersecurity. This alone creates a heightened expectation by the public when it comes to disclosures. Stakeholders of nonpublic companies will want reassurance of cybersecurity measures as well. The growing concern of personally identifiable information (PII) being protected, while also meeting digital growth objectives.
While in the past there were audit committees that took care of overseeing cybersecurity, the board is beginning to need to be involved because of the complex nature of technology. When you look at the way business is conducted now, everything moves along a digital communication wave and technological structure. Just think of the cloud and remote workforce. Working online and with technology begins with the back office, moves to the manufacturing floor, and ends with customer experience. With everything flowing and working through connected technology, you want eyes on all potential high-profile ransomware attacks, DoS intrusions, zero-day exploits, and other type of threat behavior.
The recent proposed SEC rules may require public boards to welcome changes in ways they are unfamiliar with. Audit committees are already overloaded, which means they are going to have a great challenge in meeting the new SEC requirements. This is where a new board function that addresses cyber risk may be exactly what will help with this.
The latest cybersecurity policies proposed by SEC may speed up the change in board composition, starting with the companies that hold strategic data and technology that is critical for operations.
If you take a look at the NACD Cyber-Risk Oversight Handbook you can find five principles for board oversight of cybersecurity risks. We’ll list them for you here too.
- Directors should understand and approach cybersecurity as a part of the business process, strategically and operationally. It is not just an IT risk or concern.
- Directors should understand the legal implications of cyber risks for their specific company’s needs and requirements.
- Boards should have cybersecurity expertise available to them. They should also have conversations around cyber risk management as part of the board meeting agenda with these experts.
- Directors should set management expectations that match needs for enterprise-wide cyber risk framework and strategy. This also means having adequate staffing and budget.
- Board-management discussions about cyber risk want to also identify and quantify financial risks. This means looking closely at which risks to accept, mitigate, or transfer, such as through insurance.
Overseeing cyber risk management by the board can help you to respond to the new SEC cybersecurity proposal, as well as set up your company to improve cybersecurity. In an effort to support your journey further, here are some questions you can ask.
- What will the material impact of cyber incidents have on business? And how do we go about monetizing cyber risks?
- Can we objectively understand our company’s cybersecurity potential and capabilities? Do our business continuity plans, remediation plans, policies and procedures identify and manage the cyber risks we face?
- How does our company’s operational structure affect our security? What risks do our supply chain and third-party and/or fourth-party suppliers bring to the business?
- Do we have an effective cybersecurity governance structure in place?
- Does our board meet the requirements of SEC when it comes to cybersecurity expertise, or will we need to add members that hold the applicable required qualifications?
- Will our company be able to engage in cyber incident reporting as required by the SEC, and be able to meet the time and manner of reporting requirements?
With these questions you can gain a clearer idea of how prepared or unprepared your board members are, as well as what next steps to take to get everyone onboard with cybersecurity for your business and these newly developed policies proposed by the SEC.
If you need help, schedule your free consultation here: https://calendly.com/ncxgroup
Photo courtesy of corgarashu